Continuous Security Using requireSafe with circleci

Combining a continuous integration service like circleci and requireSafe gives you continuous security for your node.js projects.

If you haven't used circleci before, be sure to check out the docs for how to get started before you dive in to integrate requireSafe.

Once you have circleci all setup, it's quite easy to add in requireSafe checking so that you will know right away when a dependency with a known vulnerability ends up in your dependency tree.

First, add requiresafe as a dev dependency by typing

npm i requiresafe --save-dev

Next, add a script to your package.json to allow npm to run requiresafe check. Ours looks something like this:

  "scripts": {
    "test": "lab -a code -t 100 -L",
    "requiresafe": "requiresafe check"

In your circleci.yml file, add a pre or post handler to your test section to run the requiresafe utility.

test: pre: - npm run requiresafe ```

That's it. When circleci runs your builds you will get output like below when it doesn't find anything.

If vulnerabilities are found and you want to ackowledge and accept that risk, you can add exceptions so they don't continue to break the build. Pretty neat huh?

You might also enjoy reading: